Tuesday, May 10, 2011

Considering Social Media, Mindful of HIPAA

Social Media is the latest fad to sweep the world and has ignited debate about issues of privacy that are similar to the concerns that resulted in the passage of HIPAA. Some feel that privacy is irrelevant and that the benefits (whatever they may be) of free access to everything about everyone outweighs any harm that could be done by allowing such access. Others think that everything should be absolutely protected and private unless the individual authorizes its release (and maybe not even then).

These are the polar positions. Reality is swimming around somewhere in the middle. The fact is that no matter how hard one tries to “hide” from electronic view, it is virtually impossible unless you are a recluse, living off the land and completely shunning society and the economy. Otherwise, there are so many records available online that any notion of being anonymous or private is illusory. Of course, the fact that information is unavoidably available is not a good reason to reveal everything else, as the permissive pole advocates.

In healthcare, there are HIPAA “Hawks” and “Doves.” The regulations state that a covered entity is permitted to use or disclose protected health information for the purpose of treatment, payment, or healthcare operations. The Hawks, often administrators or IT people, appear to be concerned more by the legal consequences of violating the regulations required and less about the negative impact on care if information cannot be accessed. To them, virtually any access or transfer of information constitutes a release or disclosure and is forbidden unless specifically authorized by the patient. The Doves tend to take a broad view of treatment and healthcare operations and fall somewhere in the middle of the poles described above. Privacy is desirable but when someone’s care depends on communication with others (whether family members or other practitioners), the Doves believe that these are a legitimate part of treatment and healthcare operations and are allowable without explicit consent.

Communications that fall into the allowable category are easy to accomplish over the phone or in writing but become very challenging if attempted electronically due to HIPAA security regulations that require levels of security that are incompatible with the public Internet. The requirements for encryption and the like virtually necessitate the creation of private networks, but the very presence of private networks makes much of the necessary communication impossible. Almost by definition, if everyone that might need to participate in the communication was part of the private network, it wouldn’t be private any more.

There are two keys to making sense of all this. One is to look at actual behavior; the other is to take a different approach to patient consent regarding privacy matters.

It appears that most people will allow the use of specific pieces of otherwise private data if they get something of value in exchange, such as convenience, access to information or the chance to shop. In other settings, such as Facebook, many people happily (apparently) post all sorts of information that you or I might consider too private to reveal. The conclusion is that while many people are concerned about privacy (and their concerns should be respected) not everyone who claims to value privacy acts in accordance with their stated beliefs. If you have something valuable to offer them, most will agree to take the slight increased risk to their privacy in order to take advantage of what you have to offer.

My conclusion, and it’s only my opinion, is that the way to deal with this is to develop an informed consent policy relating to your data practices that tells patients what you intend to do regarding unencrypted e-mails, faxes, and social media sites. If you believe that these sorts of communication opportunities, which have the potential to violate strict privacy standards, would in fact benefit your patients and your practice, then the best thing to do is to tell your patients. Give them an opportunity to opt in (if you have a way to respect the wishes of those who don’t) or give them a chance to choose a different doctor that does not use social media and electronic communications. You may end up attracting more patients than you lose. I’m not a lawyer but it seems to me that any “disclosure” to which the patient has given their explicit, fully informed consent would be defensible against a claim of it being a HIPAA violation.